<p> A cookie's domain specifies which websites should be able to read it. Left blank, browsers are supposed to only send the cookie to sites that
exactly match the sending domain. For example, if a cookie was set by <em>lovely.dream.com</em>, it should only be readable by that domain, and not by
<em>nightmare.com</em> or even <em>strange.dream.com</em>. If you want to allow sub-domain access for a cookie, you can specify it by adding a dot in
front of the cookie's domain, like so: <em>.dream.com</em>. But cookie domains should always use at least two levels.</p>
<p>Cookie domains can be set either programmatically or via configuration. This rule raises an issue when any cookie domain is set with a single
level, as in <em>.com</em>. </p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> the <code>domain</code> attribute has only one level as domain naming. </li>
</ul>
<p>You are at risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> You should check the <code>domain</code> attribute has been set and its value has more than one level of domain nanimg, like:
  <em>sonarsource.com</em> </li>
</ul>
<h2>Sensitive Code Example</h2>
<pre>
Cookie myCookie = new Cookie("name", "val");
myCookie.setDomain(".com"); // Noncompliant
java.net.HttpCookie myOtherCookie = new java.net.HttpCookie("name", "val");
myOtherCookie.setDomain(".com"); // Noncompliant
</pre>
<h2>Compliant Solution</h2>
<pre>
Cookie myCookie = new Cookie("name", "val"); // Compliant; by default, cookies are only returned to the server that sent them.

// or

Cookie myCookie = new Cookie("name", "val");
myCookie.setDomain(".myDomain.com"); // Compliant

java.net.HttpCookie myOtherCookie = new java.net.HttpCookie("name", "val");
myOtherCookie.setDomain(".myDomain.com"); // Compliant
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
  </li>
</ul>

